Sunday, January 18, 2009

During a network penetration test, Windows command shell access is often obtained through some sort of exploit. If, for example, Metasploit is being used, command shell access can be delivered as the payload of a buffer overflow exploit. Or if perhaps the Meterpreter is being used, command shell access can be had by executing a CMD.EXE and interacting directly with it, or perhaps by having NETCAT shovel a command shell back to the penetration tester.

The challenge is that command shell access is not equivalent to full terminal access. The command shell may produce strange output due to control characters. Some commands may not function normally if they depend on the use of control sequences. If using NETCAT to shovel a shell, entering CTRL-C to terminate some command can end up terminating your shell!

If a penetration tester is permitted to modify the target server, then a more consistent, fully functional terminal level access will greatly help during the testing process. A number of choices exist including activating the telnet service, activating Microsoft terminal services (remote desktop protocol), installing VNC (www.realvnc.com), or installing OpenSSH for Windows. VNC is a great choice as it provides an easy command line installation with files residing in a single directory, and only a limited number of registry entries, however it offers no encryption. The telnet service offers no encryption either.

OpenSSH for windows (http://sshwindows.sourceforge.net/) is a minimized Cygwin (http://www.cygwin.com) environment that has been customized to support only SSH. It supports SSH command line terminal access, and secure copy / secure file transfer. Because the setup process in the OpenSSH packages uses the GUI, you have to perform some steps to customize your own command line only installation.

Preparing for a custom command line OpenSSH Installation in your lab

The basic steps to prepare a command line OpenSSH installation for Windows are as follows:

2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH

3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.

4. Export the following registry keys using the REG EXPORT command as follows:

5. Concatenate all of these registry files together into one file. TYPE 1.REG 2.REG 3.REG >OPENSSH.REG

6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.

Performing an installation via command shell

Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.

Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.

Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.

**Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don’t leave a gaping opportunity while testing.

To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.